Networks connect many computers together allowing them to exchange date via communications lines. Several standards defining how such date exchanges should occur have been developed and implemented to ensure that computer and computer programs using the same protocols can successfully exchange data. One of the problems associated with the ability to exchange data is ensuring that the security of a computer attached to such a network is safe from attack by someone who is not authorized to access the computer. There has been an explosion in the growth of computer networks as organizations realize the benefits of networking their personal computers and workstations. Increasingly, these networks are falling prey to malicious outsiders who hack into the network, reading and sometimes destroying sensitive information. Exposure to such attacks has increased as companies connect to outside networks such as the Internet.
A common communication on networks, such as the Internet, are messages relating to ensuring that computers are set to the proper time. This is important in time stamping further communications and in ensuring that time triggered events occur when desired. Extremely accurate clocks are expensive, and not many computers have them. Thus, when a process running on a computer needs to have the correct time, it may need to ask for the time from a different source.
To facilitate the setting of time in computers attached to the Internet, a Network Time Protocol (NTP) standard has been established. It provides a way for all clocks in computers on a network to be synchronized. A formal specification of NTP version 3 is described in RFC1305, which is published in many places on the Internet, and implemented by many computer owners to synchronize the clocks on their computers.
At a high level, software called a client, on one computer sends a NTP message to one or more servers which are thought to have accurate time. The client then processes the replies, which contain information representative of the correct time. The client then determines the server time with respect to local time and adjusts the local clock accordingly. In some implementations, multiple servers are asked for the time, and the replies are processed to account for delays and known errors. In general the approach involves mutually coupled oscillators and maximum-likelihood estimation and clock-selection procedures, together with a design that allows provable assertions on error bounds to be made relative to stated assumptions on the correctness of the primary reference sources. In essence, a system of distributed NTP peers operates as a set of coupled phase-locked oscillators, with an update algorithm functioning as a phase detector and the local clock as a disciplined oscillator, but with deterministic error bounds calculated at each step in the time-transfer process. This known process utilizes a NTP time stamp represented as a 64 bit unsigned fixed point number which allows precision to about 200 picoseconds.
NTP messages between multiple servers and a host attempting to update its clock, flow back and forth, sometimes at set intervals in the range of one minute or less if great accuracy is desired. One problem associated with such message traffic is that it does not protect against unauthorized access to the host attempting to update its time. NTP uses a simple transport protocol called User Datagram Protocol (UDP.) UDP is a protocol for processes to exchange datagrams such as time requests between processes coupled via Internet Protocol (IP.) One important feature of the UDP protocol is that there is no assurance that a message will get through. It is said to be an unreliable communications protocol for this reason. No continuous connection is established, and since there is no maintenance of the states of messages to ensure the delivery, there is very little overhead in implementing the UDP communication protocol. It also means that since there is no continuous connection, it is easier for someone to attempt unauthorized communication by simply sending message to a port that is known to be waiting for replies to a time request or proxy from any given process running on the host. There is a need to provide a safe way to provide an accurate indication of time to a process without exposing it to unauthorized access. There is also a need to synchronize a host's clock accurately with other accurate clocks on a network. There is a need to synchronize the host's clock in such a manner that does not have high overhead and does not allow unauthorized access to the host.